summaryrefslogtreecommitdiffstats
path: root/tests
Commit message (Collapse)AuthorAgeFilesLines
* tests: add/fix inet+exthdr testsFlorian Westphal2016-03-025-0/+327
| | | | | | | | exhdr needs to be treated as if we'd test an ipv6 header field, i.e. inet, bridge, netdev need to add a dependency on ipv6 protocol. Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* evaluate: enforce ip6 proto with exthdr expressionFlorian Westphal2016-03-022-32/+28
| | | | | | | | | | | | | | Don't allow use of exthdr with e.g. ip family. Move frag.t to ip6 directory and don't use it with ipv4 anymore. This change causes major test failures for all exthdr users since they now fail with inet/bridge/netdev families. Will be resolved in a later patch -- we need to add an ipv6 dependency for them. Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* proto: use parameter-problem for icmpv6 typePablo Neira Ayuso2016-02-012-0/+9
| | | | | | | To keep it consistent with icmpv4 naming. Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=911 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests/py: test vlan on ingressPablo Neira Ayuso2016-01-312-0/+237
| | | | | | | | | | This generates the same code as bridge does, but it includes this check in first place. [ meta load iiftype => reg 1 ] [ cmp eq reg 1 0x00000001 ] Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests/py: test port ranges and maps for redirectPablo Neira Ayuso2016-01-314-0/+47
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add fwd statement for netdevPablo Neira Ayuso2016-01-312-0/+21
| | | | | | | | | | | This patch add support for the forward statement, only available at the netdev family. # nft add table netdev filter # nft add chain netdev filter ingress { type filter hook ingress device eth0 priority 0\; } # nft add rule netdev filter ingress fwd to dummy0 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: add dup statement for netdevPablo Neira Ayuso2016-01-312-0/+21
| | | | | | | | | | | | This patch contains the missing chunk to add support for the netdev family. Part of the support slipped through in the original patch to add the dup statement for IPv4 and IPv6. # nft add table netdev filter # nft add chain netdev filter ingress { type filter hook ingress device eth0 priority 0\; } # nft add rule netdev filter ingress dup to dummy0 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* ip6: Add tests for icmpv6 packet typesShivani Bhardwaj2016-01-312-0/+10
| | | | | | | | Add tests for the icmpv6 packet types policy-fail and reject-route to be used with REJECT target. Signed-off-by: Shivani Bhardwaj <shivanib134@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* netlink_delinearize: only remove protocol if equal cmp is usedFlorian Westphal2016-01-272-0/+24
| | | | | | | | | | | | | | | | | | Check for OP_EQ before removing a dependency, else we may zap wrong one, changing the meaning of the rule. Listing without patch: ip protocol udp udp dport ssh ip protocol udp udp dport ssh counter packets 1 bytes 308 ip protocol udp udp dport ssh With patch: ip protocol != tcp udp dport ssh ip protocol != udp udp dport ssh ip protocol != tcp counter packets 1 bytes 308 udp dport ssh Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* netlink: do binop postprocessing also for map lookupsFlorian Westphal2016-01-264-0/+35
| | | | | | | | | | old nft list: mark set unknown unknown & 0xfff [invalid type] map { 3 : 0x00000017, 1 : 0x0000002a} new: mark set vlan id map { 3 : 0x00000017, 1 : 0x0000002a} Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: add two map test casesFlorian Westphal2016-01-266-0/+54
| | | | | | | | One normal map lookup, one with an explicit binop. The latter is supposed to also work with the followup patch applied. Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: support limit rate over valuePablo Neira Ayuso2016-01-142-16/+99
| | | | | | | | | | | | | | | | | | So far it was only possible to match packet under a rate limit, this patch allows you to explicitly indicate if you want to match packets that goes over or until the rate limit, eg. ... limit rate over 3/second counter log prefix "OVERLIMIT: " drop ... limit rate over 3 mbytes/second counter log prefix "OVERLIMIT: " drop ... ct state invalid limit rate until 1/second counter log prefix "INVALID: " When listing rate limit until, this shows: ... ct state invalid limit rate 1/second counter log prefix "INVALID: " thus, the existing syntax is still valid (i.e. default to rate limit until). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: ct: remove BUG cases that work with current masterFlorian Westphal2016-01-071-33/+0
| | | | | | | | We have tests for these in ip/ct.t. (We cannot use ipv4 addresses e.g. in ipv6 family). Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* ct regression tests for bytes, packetsFlorian Westphal2015-12-142-0/+27
| | | | | Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nft: swap key and direction in ct_dir syntaxFlorian Westphal2016-01-073-24/+32
| | | | | | | | | | | | | | | old: ct saddr original 1.2.3.4 new: ct original saddr 1.2.3.4 The advantage is that this allows to add ct keys where direction is optional without creating ambiguities in the parser. So we can have ct packets gt 42 ct original packets gt 42 Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests/py: netdev family with ingress chainPablo Neira Ayuso2016-01-1334-0/+2999
| | | | | | | This patch enables tests for the new netdev family and its ingress chain. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests/py: test udp from ip and ip6 familiesPablo Neira Ayuso2016-01-133-2/+446
| | | | | | The existing test was checking for the ip family three times, fix it. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests/py: don't test log statement from protocol matchPablo Neira Ayuso2016-01-1310-68/+24
| | | | | | | | | | | | I think this unit tests should be self-contained at some level. The shell/ directory should be used to catch regressions at ruleset level, ie. these kind of combinations. Another motivation is that I want that netdev/ingress gets tested (coming in a follow up patch), and we don't support log there yet, so I would need to skip this test for that case. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests/py: update test files syntaxPablo M. Bermudo Garay2016-01-1252-120/+158
| | | | | | | | The test files have been adapted to the syntax defined in the previous commit "tests/py: modify supported test file syntax" Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests/py: modify supported test file syntaxPablo M. Bermudo Garay2016-01-121-26/+44
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Until now, the syntax to represent tables and chains in test files was: *ip;test-ip4 *ip6;test-ip6 *inet;test-inet :input;type filter hook input priority 0 Where lines starting with * are tables and lines starting with : are chains. This commit change the test script to deal with new syntax: :input;type filter hook input priority 0 *ip;test-ip4;input *ip6;test-ip6;input *inet;test-inet;input Now the chains should be included before tables. Also, lines defining tables have a new third part (delimited by semicolon) where the chains needed by the table are declared. If table needs to include more than one chain, those must be separated by commas: :input;type filter hook input priority 0 :forward;type filter hook forward priority 0 :output;type filter hook output priority 0 *arp;test-arp;input,forward,output This new syntax allow to include in the same test file chains not supported by all families of tables tested. Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests/py: convert chains and tables to objectsPablo M. Bermudo Garay2016-01-121-58/+72
| | | | | | | | Now these concepts are represented by objects instead of lists or sparse parameters. Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests/py: simplify use of globalsPablo M. Bermudo Garay2016-01-121-18/+14
| | | | | | | | | | | The script made a messy use of globals, these was sometimes accessed directly and passed as parameter in other cases. Since is not expected having to deal with threads in the script, now the globals are always accessed directly for the sake of simplicity. Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests/py: fix stylePablo M. Bermudo Garay2016-01-121-100/+109
| | | | | | | | | | - Adjust lines to 80 columns style - Add two lines of separation between functions - Remove redundant parentheses and semicolons - Apply other minor style fixes Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests/py: remove unused variablesPablo M. Bermudo Garay2016-01-121-30/+8
| | | | | | | Only that. The script had a lot of unused variables. Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: add ct tests for ip familyFlorian Westphal2016-01-042-0/+85
| | | | | | | | | | Cannot check e.g. saddr for 192.168.0.1 for 'any' protocol, nft needs to expect arguments of a specific address type. So e.g. when using 'inet' we need to add a rule that makes the expected family explicit, e.g. 'meta nfproto ipv4'. Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: py: check set value from selector and mapPablo Neira Ayuso2016-01-032-0/+15
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests/shell: add tests for handles and commentsArturo Borrero2015-12-254-0/+34
| | | | | | | Here some tests for optional things like rule handles and comments. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests/shell: add test case for cache bugArturo Borrero2015-12-181-0/+35
| | | | | | | | | | | | | | | | | | | | | | | This testcase for sets catch a cache bug. By the time of this commit this test is failing, so the test suite shows: % sudo ./run-tests.sh I: using nft binary /usr/local/sbin/nft I: [OK] ./testcases/maps/anonymous_snat_map_0 I: [OK] ./testcases/maps/named_snat_map_0 W: [FAILED] ./testcases/sets/cache_handling_0 I: [OK] ./testcases/optionals/comments_0 I: [OK] ./testcases/optionals/comments_handles_monitor_0 I: [OK] ./testcases/optionals/handles_1 I: [OK] ./testcases/optionals/handles_0 I: [OK] ./testcases/optionals/comments_handles_0 I: results: [OK] 7 [FAILED] 1 [TOTAL] 8 Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests/shell: add maps tests casesArturo Borrero2015-12-182-0/+18
| | | | | | | Let's add some tests cases for maps. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests/: add shell test-suiteArturo Borrero2015-12-182-0/+95
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | This new test-suite is intended to perform tests of higher level than the other reggresion test-suite. It can run arbitrary executables which can perform any test apart of testing the nft syntax or netlink code (which is what the regression tests does). To run the test suite (as root): % cd tests/shell % ./run-tests.sh Test files are executables files with the pattern <<name_N>>, where N is the expected return code of the executable. Since they are located with `find', test-files can be spreaded in any sub-directories. You can turn on a verbose execution by calling: % ./run-tests.sh -v Before each call to the test-files, `nft flush ruleset' will be called. Also, test-files will receive the environment variable $NFT which contains the path to the nftables binary being tested. You can pass an arbitrary $NFT value as well: % NFT=../../src/nft ./run-tests.sh Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests/: rearrange tests directoryArturo Borrero2015-12-15158-0/+0
| | | | | | | | | | | | | | | | | | Rearrange the directory to obtain a better organization of files and tests-suites. We end with a tree like this: tests | .--- py .--- shell .--- files This was suggested by Pablo. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: vlan pcp and cfi are located in the first bytePablo Neira Ayuso2015-12-141-10/+10
| | | | | | | Adjust tests to fix wrong payloads, both pcp and cfi are located in the first nibble of the first byte. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: fix crash when rule test is malformedPablo M. Bermudo Garay2015-12-142-7/+6
| | | | | | | | | | | The tests script suffers a crash when a rule test line is malformed (e.g. if expected result is missing). This commit fixes these crashes and now the line is skipped and a warning is printed. While at it, fix a malformed test line too. Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: remove useless logicPablo M. Bermudo Garay2015-12-145-8/+2
| | | | | | | | | | In the test files, some lines defining tables was commented out with a minus "-" sign, also used to mark broken rules. This commit replaces these signs with actual comments "#" and removes the code that handled the situation. Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: add *.got files to .gitignorePablo M. Bermudo Garay2015-12-101-26/+0
| | | | | | | | | | During tests execution, some *.payload.got files may be generated. To avoid annoyances, this commit adds the pattern to .gitignore. Also, the file "dup.t.payload.got", that was presumably included by mistake, has been deleted. Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: regression: fix arp.t expected payloadFlorian Westphal2015-11-271-17/+17
| | | | | | previous commit fixed arp header definition so fix payload as well. Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: regression: allow to run tests from anywherePablo M. Bermudo Garay2015-11-191-4/+6
| | | | | | | | | | | | | Since 357d8cf "tests: use the src/nft binary instead of $PATH one", the tests script needs to be executed from nftables repository root. Now the script can be run from any location and also checks the binary existence. To run a single test file, the path must be relative from the directory where you launch the script. Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com> Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: regression: homogenize indentation stylePablo M. Bermudo Garay2015-11-191-5/+5
| | | | | | | | | Python interpreter doesn't like mixed indentation. So in order to prevent future problems, this commit replace some tabs found in the script with space indentation. Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com> Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: add inet test for ip/ether concatenationFlorian Westphal2015-11-104-0/+42
| | | | | | | | Test rule from Pablo, it caused assertion failure with earlier versions of nft (caused by 7ead4932f9ab, later fixed via 775e7ff1f5ddaa32). Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: add test cases for ethernet header matchingFlorian Westphal2015-11-068-0/+200
| | | | | | Adds ether saddr statements for inet, bridge and ip/ip6 families. Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: add tests matching on ether saddr for inet, bridge, ip, ip6Florian Westphal2015-11-065-0/+227
| | | | Signed-off-by: Florian Westphal <fw@strlen.de>
* src: add interface wildcard matchingPablo Neira Ayuso2015-11-022-0/+24
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Contrary to iptables, we use the asterisk character '*' as wildcard. # nft --debug=netlink add rule test test iifname eth\* ip test test [ meta load iifname => reg 1 ] [ cmp eq reg 1 0x00687465 ] Note that this generates an optimized comparison without bitwise. In case you want to match a device that contains an asterisk, you have to escape the asterisk, ie. # nft add rule test test iifname eth\\* The wildcard string handling occurs from the evaluation step, where we convert from: relational / \ / \ meta value oifname eth* to: relational / \ / \ meta prefix ofiname As Patrick suggested, this not actually a wildcard but a prefix since it only applies to the string when placed at the end. More comments: * This relaxes the left->size > right->size from netlink_parse_cmp() for strings since the optimization that this patch applies may now result in bogus errors. * This patch can be later on extended to apply a similar optimization to payload expressions when: expr->len % BITS_PER_BYTE == 0 For meta and ct, the kernel checks for the exact length of the attributes (it expects integer 32 bits) so we can't do it unless we relax that. * Wildcard strings are not supported from sets and maps yet. Error reporting is not very good at this stage since expr_evaluate_prefix() doesn't have enough context (ctx->set is NULL, the set object is currently created later after evaluating the lhs and rhs of the relational). I'll be following up on this later. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: add tests for dupPablo Neira Ayuso2015-09-305-0/+80
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: limit: extend them to validate new bytes/second and burst parametersPablo Neira Ayuso2015-09-232-6/+63
| | | | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* vlan: make != tests workFlorian Westphal2015-09-182-0/+12
|
* tests: vlan testsFlorian Westphal2015-09-182-0/+223
| | | | | | | add a few regression tests that match vlan id/dei/pcp fields of the vlan header. Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: add tests for ip version/hdrlength/tcp doffFlorian Westphal2015-09-187-0/+78
| | | | | | | Header fields of 4 bit lengths. Requires implicit masks and shifting of RHS constant. Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: don't depend on set element orderFlorian Westphal2015-09-182-1/+30
| | | | | | | | | | | | | Pablo reported test failures because the order of returned set entries is not deterministic. This sorts set elements before comparision. Patrick suggested to move ordering into libnftnl (since we could f.e. also get duplicate entries due to how netlink dumps work), but thats a bit more work. Hence this quick workaround. Reported-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Florian Westphal <fw@strlen.de>
* tests: add concatenations and maps; combine them tooPablo Neira Ayuso2015-09-118-0/+118
| | | | | | | This patch adds simple tests for concatenation and maps, including more advanced tests that combine them. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* tests: display error when trying to run tests out of the root directoryPablo Neira Ayuso2015-09-071-0/+5
| | | | | | | | | | Since 357d8cfcceb2 ("tests: use the src/nft binary instead of $PATH one"), the tests fail if you try to run them if you are not under the root directory of the nftables repository. Display an error so I don't forget I have to do it like this. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>